The Rise of AI Scams

Today’s online scams are smarter and more sophisticated than ever – a far cry from the clunky, typo filled emails or text messages we’d come to know and spot as a cyber threat. AI is making this possible, with cyber criminals adding tools like ChatGPT, ElevenLabs (a text to speech and AI voice generator), and deepfake video and audio software to their toolkit.

 

 

As a result, it’s easier for scammers to scale and personalise their attacks, and it’s critical for businesses to be aware of this threat and understand how they can protect their staff. In this blog, we’ll look at what AI scams are and why they work, real-world examples, and what you can do to enhance your resilience – so let’s get started.

 

What Is An AI-Powered Scam?

 

AI is being used to create more convincing phishing and Business Email Compromise (BEC) scams, which both depend on human error to succeed.

 

Phishing Scams:

 

Cyber criminals send fraudulent emails or text messages, or conduct phone calls, pretending to be trusted organisations. The email and text message versions of this attack contain links or attachments that trick recipients into providing sensitive data (including personal or financial information and login credentials), or installing malware. This can also take the form of a spear phishing scam, which are highly targeted towards the recipient.

 

Business Email Compromise (BEC):


BEC is a spear phishing scam which sees cyber criminals imitating C-suite executives or vendors to steal funds. It might look like a CEO asking for an urgent transfer of funds, or a vendor sending through a new invoice (with altered bank details). In both cases, the person or business making the request seems legitimate – so the scam is less likely to be questioned. Hackers may even send emails directly from the CEO or vendor’s compromised email account, making the attack even harder to spot. BEC can also be carried out with the intention of stealing data from HR staff, which is used to shape future attacks.

Now, let’s look at how cyber criminals are using AI to make these scams more realistic.

 

  • Chat-GPT or generative AI is used to refine communication, resulting in emails that have perfect spelling and grammar, and use an appropriate tone.
  • AI is used to generate documents and invoices that look real – from the company’s branding to the content.
  • Scammers are leveraging voice cloning tools to conduct more convincing phishing attacks over the phone. In this case, they can also use generative AI tools to write refined scripts for their attacks.
  • Similarly, scammers can use AI-powered deepfake software to conduct convincing video calls posing as C-suite executives within a company.

 

Why Do These Scams Work?

 

They work because they combine psychological manipulation, familiarity, and real data from the web. Cyber criminals employ a sense of urgency and authority, impersonate trusted people or companies, and AI can be used to scrape publicly available information (and in the case of deepfake software, this includes photos, videos, and audio).

 

Real World Examples


To understand the impact of phishing and BEC scams, let’s look at some real world examples.

 

  • Pure Glass, a regional Western Australian company, lost $50,000 following a voice phishing scam. The scammer called the company pretending to be from Telstra (the company’s internet provider) in response to issues they were experiencing, and asked the staff member to download software. This was malicious software, and allowed the scammers to access Pure Glass’ computer and transfer the funds.
  • The Northern Territory government was scammed out of $3.5 million, when a scammer posed as a contractor working with the construction company they’d hired and carried out a Business Email Compromise scam.

 

It’s clear phishing and BEC scams that play on human error can be both convincing and devastating – and AI will only see them become more successful. Email compromise and BEC fraud were also two of the top cyber crimes businesses reported to the Australian Signals Directorate in FY23-FY24, with scams costing Australians $2.03 billion in total.

 

How You Can Protect Your Business Against AI-Powered Scams

 

  1. Security Measures
    • You should implement robust email filtering, which stops threats before they reach your team, and the risk of human error comes into play.
    • Implement multi-factor authentication (MFA) to help secure email accounts, preventing them from being hacked and used to launch BEC attacks.
    • Implement domain protection, including DMARC, DKIM, and SPF email authentication standards which prevent your domain from being spoofed. If you’re not familiar with domain spoofing, it’s when a scammer sends emails from a domain that looks the same or very similar to your own – allowing them to trick people into thinking the email is legitimate.

 

  1. Staff Awareness Training
  • Run ongoing staff training, including phishing simulations, around cyber security awareness. This ensures your team is across current online risks (including phishing and BEC scams).
  • You should also include examples of how AI is affecting these threats, and teach your staff about the importance of double-checking tone, context, and processes (more on this below).

 

  1. Process and Policy Improvements
  • Set up multi-step approval processes for financial transactions.
  • Require voice confirmation for payment requests, ensuring staff can confirm the request with the actual person before action is taken.
  • Create an escalation process for “urgent” emails.

 

How Bekkers Can Help

 

While AI is making phishing and BEC scams harder to detect, the right education, tools, and expert support allow you to catch them before serious damage is done. At Bekkers, we help you to implement security measures, build policies, and teach your team to spot threats. This ensures you stay safer online and avoid falling victim to AI-powered scams. If you’d like to chat about how we can enhance your cyber resilience, get in touch with our friendly experts today here.

More Insights

How Do SMBs Stay Secure Without an Internal Security Team?

For many small and mid-sized businesses, cyber security can feel like something that requires a dedicated in-house team – specialist staff, complex tools, and constant monitoring. For most SMBs, that model isn’t realistic. More importantly, it’s no longer necessary.

Read more

Can Business Leaders Be Held Personally Liable for a Cyber Breach?

If your business was hit by a cyber breach tomorrow, could you be held personally accountable? The answer for executives and business owners: yes.

Read more

A Guide to Supply Chain and Third-Party Cyber Risks for SMBs

So, you’ve spent time and money building your cyber security resilience, but have the third parties you depend on done the same? If their security measures aren’t up to scratch and meeting the same standards, they introduce supply chain and third-party cyber risks to your business.

Read more

We take care of everything for your peace of mind, allowing you to focus on running and improving your business.

Get In Touch